Utility Cyber Security Hampered by Standards, Vendors, Industry Culture

Electric utilities are our nation's critical infrastructure ground zero. But the lack of standards, vendor inadequacy and the glacial pace of utility technological change are among the top challenges to keeping the grid safe from digital threats according to industry experts speaking at the Smart Grid Security Virtual Summit today.  It's very difficult for utilities to "create a process to achieve security because they are always waiting for a standard," Ward Pyles, Senior Security Analyst, Southern Company said.

Speaking of the morass of ever-changing cyber security protocols available to utilities from the government and private sector groups, Pyles recommended that each utility develop its own standard and then stick to it.  "It's hard to choose what is the best one for you but you have to look at each of them and then create your own standard.  Pick one if you can and if you can't come up with a compilation."

Utility vendors must be more attentive to, and utilities must demand in their RFPs and RFIs, stronger cyber security technologies, Ward said.  "We're seeing solutions today that have default passwords that are embedded in code," a cyber security risk that utilities must mitigate.

"There is little or no cybersecurity in the devices utilities deploy," Patrick Miller, President and CEO of utility security group EnergySec said.  "The vendors have come a long way but it is still not a pretty picture."

The utility culture is "much more resistant to change," facing technology life cycles that typically span twenty years, making the new digital era particularly challenging for utilities looking to implement adequate cyber security procedures according to John Stewart, a cyber security specialist engineer at the Tennessee Valley Authority.  IT technology is truly a "different paradigm" for most utilities, Stewart said. The IT sector is a culture of constant change and "it's definitely different from the power industry" where change is "not one of our cultural strong suits."

Moreover, utilities don't have the luxury of interrupting service to install new software or technologies, as do many IT-based businesses.  "It's hard to imagine a world where substations operate in a patch Tuesday mindset," he said.  

Stewart argues that cyber security and utility communications infrastructure be separated from core operations while minimizing the amount of "daylight" between security and core function devices.  "Longer term we will push vendors toward more modular solutions that separate security and communications from core functionality just because the two industries are so different."

Slide from presentation by John Stewart, TVA

Posted in: Critical Infrastructure,Cyber Security,Smart Grid